Nixpkgs security tracker

Permalink CVE-2026-34091

5.5 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Recovery (R): User (U)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

User localization leaked by AbuseFilter + EventStream

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

References

https://phabricator.wikimedia.org/T411305

Affected products

MediaWiki

<1.43.7, 1.44.4, 1.45.2

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.3
- nixpkgs-unstable 1.45.3
- nixos-unstable-small 1.45.3

pkgs.python313Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

pkgs.python314Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@theobori Théo Bori <theobori@disroot.org>

Permalink CVE-2026-34095

0.0 NONE

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

action=raw with Special:Mypage subpage title responds with "Content-Type: text/html" on ctype=text/javascript request

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

References

https://phabricator.wikimedia.org/T419192

Affected products

MediaWiki

<1.43.7, 1.44.4, 1.45.2

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.3
- nixpkgs-unstable 1.45.3
- nixos-unstable-small 1.45.3

pkgs.python313Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

pkgs.python314Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@theobori Théo Bori <theobori@disroot.org>

Permalink CVE-2026-34088

1.3 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Recovery (R): User (U)
Vulnerability Response Effort (RE): Moderate (M)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Value Density (V): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

RecentChanges entries expose suppressed content via generated log page html

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

References

https://phabricator.wikimedia.org/T410429

Affected products

MediaWiki

<1.43.7, 1.44.4, 1.45.2

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.3
- nixpkgs-unstable 1.45.3
- nixos-unstable-small 1.45.3

pkgs.python313Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

pkgs.python314Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@theobori Théo Bori <theobori@disroot.org>

Permalink CVE-2026-34094

2.0 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Attack Requirement (AT): Present (P)
Privileges Required (PR): High (H)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

References

https://phabricator.wikimedia.org/T416090

Affected products

MediaWiki

<1.43.7, 1.44.4, 1.45.2

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.3
- nixpkgs-unstable 1.45.3
- nixos-unstable-small 1.45.3

pkgs.python313Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

pkgs.python314Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@theobori Théo Bori <theobori@disroot.org>

Permalink CVE-2026-34092

2.1 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Skin/Skin.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

References

https://phabricator.wikimedia.org/T384147

Affected products

MediaWiki

<1.43.7, 1.44.4, 1.45.2

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.3
- nixpkgs-unstable 1.45.3
- nixos-unstable-small 1.45.3

pkgs.python313Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

pkgs.python314Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@theobori Théo Bori <theobori@disroot.org>

Permalink CVE-2026-34093

1.1 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): Active (A)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): Unreported (U)
Recovery (R): Automatic (A)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Active (A)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Special:UserRights allows viewing user rights from private wiki

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

References

https://phabricator.wikimedia.org/T414547

Affected products

MediaWiki

<1.43.7, 1.44.4, 1.45.2

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.45.3
- nixpkgs-unstable 1.45.3
- nixos-unstable-small 1.45.3

pkgs.python313Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

pkgs.python314Packages.mediawiki-langcodes

Convert MediaWiki language names and language codes

nixos-unstable 0.2.22
- nixpkgs-unstable 0.2.22
- nixos-unstable-small 0.2.22

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@theobori Théo Bori <theobori@disroot.org>

Permalink CVE-2025-6589

created 4 months, 2 weeks ago Activity log

Created suggestion 4 months, 2 weeks ago

With MultiBlocks enabled and a user who is suppressed via a MultiBlock, a user without 'hideuser' can see the hidden username in the BlockList

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0.

References

https://phabricator.wikimedia.org/T391343

Affected products

MediaWiki

==>= 1.42.0

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Permalink CVE-2025-6597

created 4 months, 2 weeks ago Activity log

Created suggestion 4 months, 2 weeks ago

MediaWiki should not consider autocreation as login for the purposes of security reauthentication

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0.

References

https://phabricator.wikimedia.org/T389009

Affected products

MediaWiki

<1.39.13, 1.42.7, 1.43.2, 1.44.0

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Permalink CVE-2025-61639

created 4 months, 2 weeks ago Activity log

Created suggestion 4 months, 2 weeks ago

Suppressed blocked IP is visible in Special:BlockList, RC, and other places

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

References

https://phabricator.wikimedia.org/T280413

Affected products

MediaWiki

<1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Permalink CVE-2025-61634

created 4 months, 2 weeks ago Activity log

Created suggestion 4 months, 2 weeks ago

HTML rest endpoint needs PoolCounter and proper parser cache check

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1.

References

https://phabricator.wikimedia.org/T387478

Affected products

MediaWiki

<1.39.14, 1.43.4, 1.44.1

Matching in nixpkgs

pkgs.mediawiki

Collaborative editing software that runs Wikipedia

nixos-unstable 1.44.2
- nixpkgs-unstable 1.45.0
- nixos-unstable-small 1.45.0

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

pkgs.python313Packages.mediawiki-langcodes

pkgs.python314Packages.mediawiki-langcodes

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

pkgs.python313Packages.mediawiki-langcodes

pkgs.python314Packages.mediawiki-langcodes

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

pkgs.python313Packages.mediawiki-langcodes

pkgs.python314Packages.mediawiki-langcodes

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

pkgs.python313Packages.mediawiki-langcodes

pkgs.python314Packages.mediawiki-langcodes

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

pkgs.python313Packages.mediawiki-langcodes

pkgs.python314Packages.mediawiki-langcodes

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

pkgs.python313Packages.mediawiki-langcodes

pkgs.python314Packages.mediawiki-langcodes

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.mediawiki

Package maintainers